Custom user HTML input safety
Question
I am creating a website in php. One of the features is that users can edit their own pages by entering custom html code. Right now, you can enter code into a textarea and have it displayed in a div. In the future I plan on adding more helpful tools to the user.
My question is how to protect my site from malicious code. I know Facebook has an option to put custom HTML in a page tab so it can be done safely. Currently, the html is being displayed by a php script that echos it onto a page so users can enter javascript in <script> tags as well. I don't know the full limits of javascript and html but I know that custom javascript embedded into the website has the potential to screw things up.
Here are my ideas so far:
Remove all javascript from user code
- Pros: Easy
- Cons: Users can't do anything interesting with javascript
Limit the javascript to only execute inside the display div
- Pros: Safe custom javascript
- Cons: May be impossible/very difficult
If anyone has ideas about how to do this or how Facebook did this, I would love to know! Thanks in advance.
1 answers
solution1
2 ACCPTED 2014-06-28 05:40:55
If you are using php, an excellent solution is to use HTMLPurifier. It has many options to filter out bad stuff, and as a side effect, guarantees well formed html output.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.